Re: [fw-wiz] tunnel vs open a hole

From: Frank Knobbe (fknobbe@knobbeits.com)
Date: 04/08/03

  • Next message: Weil, Timothy R (BearingPoint): "[fw-wiz] RFC3514 - Evil Bit"
    From: Frank Knobbe <fknobbe@knobbeits.com>
    To: Dave Piscitello <dave@corecom.com>
    Date: 08 Apr 2003 15:34:15 -0500
    

    On Tue, 2003-04-08 at 12:16, Dave Piscitello wrote:
    > [...]
    > No one discussed the benefits of using an encrypted, authenticated
    > tunnel (SSL, SSH, ...), which do provide additional controls.
    > [...]

    At the same time, some tunnels have certain drawbacks. Depending on what
    tunnel you use, you may not know the senders IP address. For example, if
    you use SSH to forward ports, you don't get the source's IP address (it
    depends how you forward, most of the time the request would be coming
    from 127.0.0.1). I'm not sure about ZBD but I believe it works the same
    way. You would have to check the SSH/ZBD/yourtunnel logs, but that only
    shows you a general connection or the tunnel endpoint, not related or
    associateable to the real request (e.g. tcp port or sequence numbers),
    or to the host behind the endpoint.

    That 'hiding' behind tunnel endpoints can't be a benefit :)

    Cheers,
    Frank

    
    

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



  • Next message: Weil, Timothy R (BearingPoint): "[fw-wiz] RFC3514 - Evil Bit"

    Relevant Pages

    • Re: gif interface not passing IPv6 packets
      ... On my tunnel endpoint, admitedly running 7.4 not 8.x or head, pings ... what could have changed as the rc.conf configuration for this is ... The interesting thing is I've just got the routing table from my ...
      (freebsd-net)
    • Re: inter-site WAN security question
      ... In tunnel mode the tunnel endpoint always encypsulates the ... original packet (including the header) and adds an IP header with its ...
      (Security-Basics)
    • ipsec tunnels & packet length issues
      ... end of a tunnel managed by "Tunnel Endpoint", ... back traffic is composed of small sized packets, ... back traffic is composed of packets Lan mtu sized, ...
      (freebsd-net)
    • IPsec tunnel
      ... I'm trying to get an IPsec tunnel working between two S10 systems ... initially just using encryption and not AH (there may be a NAT ... Firstly, I configured a regular non-IPsec tunnel, and that works fine. ... I tried the tunnel endpoint addresses ...
      (comp.unix.solaris)
    • Re: VPN IP address issue
      ... for the two tunnel endpoints. ... create a routing table entry designating the remote tunnel endpoint as the ... gateway for packets destined to the remote network. ...
      (microsoft.public.windows.server.networking)